Forum Discussion
Licensing Cloud App Security
I have a question regarding licenses in Office 365 and especially the special services Microsoft offers (for example Office 365 Cloud App Security).
Do I need to license only users who use the Cloud App Security admin portal, or do I need to license every user actively using one of the Office 365 services.
Also I am wondering what happens if i don't license a user properly in the second case, will his actions not be logged and used by Cloud App Security or am I violating the license terms and will the product still function.
Any help or links to resources about licensing will be much appreciated.
Like some features in Office 365, and many features in Azure Active Directory or the Enterprise Mobility+Security suite of services, you need to license every user that will benefit from the use of the services. It's a common misconception that you only need to license administrators for Office 365 E5 to cover the use of this functionality, but that is not the case.
There are, unfortunately, no technical gates in the product to assist you with license compliance or to prevent non-compliance.
8 Replies
"Microsoft Cloud App Security is licensed per user per month. All the users who are protected and covered with the Cloud App Security service, need to be licensed for full compliance."
From the comments by a Microsft employee - https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security
By the way, make sure to check out - https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365
Just to confuse matters, Office 365 Cloud App Security is part of Office 365 Enterprise E5 or an add-on, while the full-featured version, Microsoft Cloud App Security is part of Enterprise Mobility + Security E5 or as an add-on.
If I have a some administrators with Enterprise Mobility + Security E5, but the majority of users are Enterprise Mobility + Security E3, as I have now enabled MCAS rather then just using OCAS. Would all users need to be Enterprise Mobility + Security E5 to be correctly licensed, or do the E3 users just used to OCAS functionlity.
As it exists today, you would need all of those E3 users to either be upgraded to EMS E5, or purchase a standalone MCAS add-on license, assuming they're all licensed for EMS E3 (Office 365 user SL doesn't matter - different suite).
It's a fair amount of work - but you might also be able to use scoped deployment now to isolate the use of MCAS just to your administrators and users that you want covered.
https://docs.microsoft.com/en-us/cloud-app-security/scoped-deployment
Like some features in Office 365, and many features in Azure Active Directory or the Enterprise Mobility+Security suite of services, you need to license every user that will benefit from the use of the services. It's a common misconception that you only need to license administrators for Office 365 E5 to cover the use of this functionality, but that is not the case.
There are, unfortunately, no technical gates in the product to assist you with license compliance or to prevent non-compliance.
- Thank you very much for your response.
So if I understand you correctly, the product (in this case Cloud App Security) will function for every user even if you don't license them properly, but you will be non-compliant and violating the terms if you do so (which is probably even worse).Unfortunately, that is correct.
